Permalink
Browse files

Trying some fixes for request validation.

  • Loading branch information...
1 parent c848b7f commit 7aa9f79af79279648a72e55f327bdc1812b33b46 @JEG2 JEG2 committed Feb 13, 2011
Showing with 8,022 additions and 8 deletions.
  1. +7,989 −0 lib/simplepay/helpers/ca-bundle.crt
  2. +33 −8 lib/simplepay/helpers/notification_helper.rb
View
7,989 lib/simplepay/helpers/ca-bundle.crt
7,989 additions, 0 deletions not shown because the diff is too large. Please use a local Git client to view these changes.
View
41 lib/simplepay/helpers/notification_helper.rb
@@ -39,16 +39,41 @@ module NotificationHelper
# end
# end
#
- def valid_simplepay_request?(endpoint, query)
- url = Simplepay.use_sandbox ? 'https://fps.sandbox.amazonaws.com' : 'https://fps.amazonaws.com'
+ def valid_simplepay_request?(params, endpoint = request.url[/\A[^?]+/])
+ host = Simplepay.use_sandbox ? "https://fps.sandbox.amazonaws.com" :
+ "https://fps.amazonaws.com"
+ query = build_simplepay_query_string( params.except( :controller,
+ :action,
+ :id ) )
+ request = { "Action" => "VerifySignature",
+ "Version" => "2008-09-17",
+ "UrlEndPoint" => endpoint,
+ "HttpParameters" => query }
+ url = "#{host}/?#{build_simplepay_query_string(request)}"
+
+ uri = URI.parse(url)
+ http = Net::HTTP.new(uri.host, uri.port)
+ http.use_ssl = true
+ http.ca_file = File.join(File.dirname(__FILE__), "ca-bundle.crt")
+ http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+ http.verify_depth = 5
- endpoint = CGI.escape(endpoint)
- query = CGI.escape(query)
+ response = http.start { |session|
+ get = Net::HTTP::Get.new("#{uri.path}?#{uri.query}")
+ session.request(get)
+ }
- url_and_query = url + "/?Action=VerifySignature&Version=2008-09-17&UrlEndPoint=#{endpoint}&HttpParameters=#{query}"
-
- result = Nokogiri::XML(open(url_and_query)) rescue false
- return (result ? (result.css("VerificationStatus").children.to_s == "Success") : false)
+ xml = Nokogiri.XML(response.body)
+ xml && xml.xpath( "//xmlns:VerificationStatus/text()",
+ xml.namespaces ).to_s == "Success"
+ rescue
+ false
+ end
+
+ def build_simplepay_query_string(params)
+ params.map { |k, v|
+ "#{CGI.escape(k.to_s)}=#{CGI.escape(v.to_s)}"
+ }.join("&")
end
end

0 comments on commit 7aa9f79

Please sign in to comment.